Data Protection Academy » Data Protection Wiki » Technical organisational measures (TOMs)

A data protection officer implements his TOM according to DSGVO with Robin Data software

Data protection according to GDPR

Technical organisational measures (TOMs)

Even though the General Data Protection Regulation has been in force since 2018, there are hardly any standards for implementing the individual requirements. Particularly in the area of technical organisational measures, requirements from the areas of data protection and data security as well as the laws GDPR and BDSG-new converge. This appears opaque to many data protection officers, and compliance with the requirements appears complicated.

We provide you with an overview of the legal situation and show you how you can guarantee the security of the processing of personal data with the help of technical organisational measures. Whether it's purchases in an online shop or video surveillance - any processing of personal data must be protected by appropriate technical and organisational measures.

In the following article you will learn which technical and organisational measures you should implement and what you should pay attention to when implementing them.

Most important information about Technical Organisational Measures

  • Technical-organisational measures are measures described in the GDPR which are intended to ensure the protection of personal data.
  • Technical-organisational measures are abbreviated as "TOM" or "TOMs".
  • Since the entry into force of the GDPR 2018, are the ones listed in the BDSG. measures described are no longer applicable, instead in Article 32 of the GDPR Technical-organisational measures listed in categories
  • TOMs also serve as proof of compliance with the GDPR, which is why written documentation is mandatory (stipulated in Art. 24 Para. 1 GDPR)

Technical and organisational measures - What is the difference?

Technical measures include any protection of data processing security that can be realized by physical measures or in software and hardware. Organizational measures in the sense of the Article 32 GDPR include measures that involve the implementation of instructions, policies and procedures for employees to ensure the security of the processing of personal data.

Examples of technical measures

  • Use of a firewall
  • Encryption of data carriers and data transfers
  • Pseudonymisation and encryption of personal data
  • Installation of an alarm system
  • Structural protection of buildings/premises
  • Defaults for the password complexity of users (FIDO-2)

Examples of organisational measures

  • Employee training on data protection
  • Visitor registration
  • Data protection compliant disposal of documents with personal data (DIN 66399)

What are the purposes of technical organisational measures?

Technical organizational measures are assigned to the area of data security and serve the purpose of comprehensively protecting personal data in accordance with the latest state of the art. Before you can define suitable TOMs for your company, you must first carry out a risk analysis or a risk assessment. Data Protection Impact Assessment (DPIA) for the processing activities of your company. Once you have identified potential risks for processed personal data, you can adequately protect them through the use of TOMs.

Legal development of technical organisational measures

The old regulations in the BDSG were more of a catalogue of requirements that had to be worked through in order to comply with the law. The new regulations, however, see the TOMs much more as a Criterion in the comprehensive risk assessment to be carried out. On the one hand, this opens up new approaches to the definition of appropriate measures. On the other hand, however, it increases the concrete scope of the assessment to be carried out by the competent authority. Data Protection Officer.

§ 9 BDSG - old

Technical and organisational measures

1 Public and non-public bodies that collect, process or use personal data themselves or on their behalf shall take the technical and organisational measures required to ensure the implementation of the provisions of this Act, in particular the requirements specified in the Annex to this Act.

2 Measures are only necessary if their cost is proportionate to the protective purpose sought.

Article 32 GDPR

Safety of processing

(1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. adequate level of protection These measures shall include, but not be limited to, the following, as appropriate: [...]

Note

The GDPR has replaced the BDSG in its form. As a result, the BDSG has been revised and serves more as a supplement to the GDPR. Art. 32 GDPR lists technical and organisational measures.

What must technical organisational measures contain according to the GDPR?

The Technical Organisational Measures ensure an adequate level of protection in accordance with the GDPR if they contain the following:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis;
  • the ability to ensure the availability of and access to personal data in the event of a a physical or technical incident;
  • a procedure for the regular review, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.

In doing so, controllers and clients must take into account the state of the art, implementation costs, the severity and likelihood of occurrence of the (potential) risk, the rights and freedoms of data subjects, and the nature, scope, circumstances and purposes of the processing.

Based on these criteria, each company must develop its own catalogue of measures specifically adapted to the company. It should be noted that measures based on the criteria must be permanently reviewed, adapted and updated.

In the Robin Data ComplianceOS® you will be shown suitable TOMs based on your industry and can easily import them into your digital data protection documentation.

What do TOMs mean for companies?

With the entry into force of the GDPR the safety of the processing personal data expanded and with it the documentation and verification obligations. If companies process, collect or store particularly sensitive and personal data, they are obliged to implement TOM.

All measures taken to protect the data must be documented in order to be able to prove precise records of the precautions taken in the event of damage. If technical and organisational measures are carefully documented and implemented your company benefits in many ways. This is how you protect your company from fines and loss of reputation.In addition, sensitive company data and business secrets are also protected.

Structure and systematisation

With the entry into force of the GDPR, the security of the processing of personal data has been expanded and with it the documentation and verification obligations. The General Data Protection Regulation remains rather vague when it comes to a concrete definition of technical organisational measures. In purely schematic terms, the following systematisation patterns can be compared for the definition of TOM:


Classic structure of TOM according to old model:

  • Measures for access control of data processing centres
  • Measures for access control of data processing systems
  • Measures for access control of personal data in data processing systems
  • Measures of transfer control
  • Measures of order control
  • Measures of availability control
  • Measures to implement the separation requirement


In contrast, the following structure is predominantly chosen uniformly today :

Confidentiality

  • Measures for access control of data processing centres
  • Measures for access control of data processing systems
  • Measures for access control of personal data in data processing systems
  • Measures of separation control
  • Pseudonymisation measures

Defined in Art. 32 (1) a) and b) GDPR

Integrity

  • Measures of transfer control
  • Input control measures

Defined in Art. 32 (1) b) GDPR

Procedures for regular review, assessment and evaluation

  • Data Protection Management
  • Incident Response Management
  • Order control

Defined in Art. 32 para. 1 lit. d GDPR and the Art. 25 para. 1 GDPR

Availability and resilience

  • Availability control

Defined in Art. 32. para. 1 lit. b) GDPR

Privacy friendly preferences

  • Privacy by design / Privacy by default

Defined in Art. 25 (2) GDPR

Practical procedure for the creation of technical organisational measures in the company

An important part of the implementation of the Technical Organisational Measures is the documentation of the implemented TOMs. However, it should not be forgotten that the documentation of the measures is only a partial step.

TOMs serve the purpose of comprehensively protecting personal data in accordance with the latest state of the art. Before you can define suitable TOMs for your company, you must first carry out a risk analysis or a risk assessment. Data Protection Impact Assessment (DPIA) for the processing activities of your company. Only the interaction with the specific processing activities will show whether the individual protection measures can be sufficient to ensure the necessary level of security.

Each company must therefore develop its own catalogue of measures specifically adapted to the company. It should be noted that measures must be permanently reviewed, adapted and updated on the basis of the criteria. In purely practical terms, it is therefore advisable to differentiate according to the specific processing scenarios when drafting the TOM.

The following systematisation can be recommended:

  • A representation of the TOMs that concerns all techniques that are applied throughout the enterprise and are likely to affect all processing operations.
  • Individual specific measures, which are assigned to them in the context of the concrete processing activities.
  • (Optional) A representation containing only the measures relevant in processing relationships.

The subsequent risk assessment should also usefully take place in the context of the processing registers, taking into account both the information provided in the "General" TOM and the additional measures of the specific processing operations.

Furthermore, it must be ensured that the organisational measures taken do not merely exist on paper, but that the necessary instructions under labour law are effectively taken vis-à-vis the employees. Only such measures can be considered effective.

Implement your organisation's TOMs with Robin Data

Let ComplianceOS® Compliance Field Data Protection guide you through all the requirements of the GDPR. Starting with the implementation of the register of processing activities, the identification of necessary data protection impact assessments, the implementation of technical organisational measures through to the fulfilment of documentation obligations, Robin Data always provides you with the right tools. Start by booking a short introductory meeting with us.

What is the proportionality principle?

Article 32 of the GDPR states that the implementation costs of the technical and organisational measures must be taken into account in order to ensure a level of protection appropriate to the risk. By taking into account the economic adequacy, the TOM projects may be somewhat limited and, for example, the TOM of a small company may meet different standards than the TOM of a large corporation.

Eight steps to implementation

The process for selecting appropriate security measures, or "ZAWAS" for short, was drawn up by the LfD Lower Saxony and comprises the following steps:

  1. Describe processing activity
  2. Check legal basis
  3. Perform structural analysis
  4. Conduct a risk assessment
  5. Select measures
  6. Evaluate residual risk
  7. Consolidate measures
  8. Implement measures

The ZAWAS principle of the LfD Lower Saxony is a practical orientation for data protection officers who have an overview of the processing activities of their company. After implementing the measures, however, the step of data protection documentation should follow in order to comply with the documentation and verification obligations of the GDPR and to be meaningful in the event of an audit.

Examples of technical organisational measures

  • Locking systems with code locks
  • Chip cards for locked areas
  • Access barriers secured with biometric features
  • Data protection compliant video surveillance
  • Secure firewall
  • Anti-virus software
  • Locking USB ports and other external interfaces
  • Locking of device housings
  • Authentication via password entry or biometric scans
  • Security locks
  • Logging of access to applications and processes such as data destruction
  • Data protection compliant destruction of data carriers (files, drives etc.)
  • Encryption of data carriers and mobile devices

Whitepaper with checklist, samples, templates and examples as PDF

TOM checklist, samples, templates and examples as PDF. Contents are listed in the following text.

In the whitepaper on Technical Organisational Measures you will find:

  • 43 Examples for TOMs divided into confidentiality, integrity and other categories
  • 12 ready-made examples for your data protection documentation
  • Each Examples of technical AND organisational measures
  • Checklist to tick off the TOMs for your company
  • References to background information and relevant legal basis

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

Who can support the implementation of the technical and organisational measures?

Generally responsible for data protection in a company is the management, which usually delegates this task internally or appoints an external data protection officer. Successful data protection always requires cross-departmental cooperation, especially with regard to TOMs, since contacts from the IT department have the best overview of technical details and technical implementation. But colleagues from the Human Resources department must also be involved, because employees must be trained to deal with established TOMs. In turn, department heads can provide support in this task.

Implementation and documentation of the technical organisational measures with the Robin Data Software

If you are interested in the implementation and documentation of the Technical Organisational Measures with the Robin Data ComplianceOS®, you can download the individual articles in our Help Center or book free initial meetings book.

What are the consequences of a data protection breach?

A breach of data protection law in the area of Technical Organisational Measures is described in Art. 5 para. 1 of the GDPR defined as a breach of integrity and confidentiality. Controllers thus violate the principles of data processing and must, in accordance with Art. 83 (5) GDPR face fines of up to €20 million or 4% of turnover.

If the precautions taken turn out to be inadequate in the course of a data breach, companies run a high risk. In such a case, the GDPR Art. 83 Par. 4 fines of up to €10 million or 2% of turnover.

The amount of the fine incurred is determined by certain criteria: Type, severity and duration of a violation as well as the associated consequences. Measures taken (TOMs) are also used to determine the amount. The documentation of the technical and organisational measures taken is therefore an essential part of the process. legal protection which may reduce the amount of the fine.

Conclusion: TOMs must be adapted to the requirements of the company

Security in the processing of personal data in accordance with Article 32 of the GDPR is an essential component for ensuring data protection within a company. The technical organisational measures play a central role in this.

Not only are risks identified for the company internally and corporate security strengthened, but your customers in particular benefit from the GDPR-compliant implementation of the TOMs. Companies of all sizes are required to carefully implement and document the technical organisational measures.

Digital solutions, checklists, guidelines from the supervisory authorities and data protection officers can help here.

FAQ

Technical-organisational measures are also abbreviated as "TOM" or "TOMs".

Technical-organisational measures are measures described in the GDPR which are intended to ensure the protection of personal data.

Organisational measures within the meaning of Art. 32 GDPR include measures that involve the implementation of instructions, policies and procedures for employees to ensure the security of the processing of personal data.

Public and non-public bodies that collect, process or use personal data are obliged to ensure technical and organisational measures. According to Art. 32 GDPR, companies must take technical and organisational measures to ensure an adequate level of protection, taking into account the state of the art, the costs of implementation, the purposes of the processing and the likelihood or severity of the risks to the data subjects.

According to § 9 BDSG, the following protective measures are meant. Technical measures are measures that can be implemented physically, such as alarm systems, firewalls and pseudonymisation of personal data. Organisational measures, on the other hand, are implemented through instructions and procedures, such as visitor registration, staff training or the dual control principle.

Robin Data ComplianceOS® Field Data protection

The Data Protection compliance field supports you in a court-proof and time-saving manner in the continuous implementation of your data protection management in the company. Both data protection officers and responsible persons benefit from the numerous functions.

Caroline Schwabe

This might interest you too:

IT security incident
TISAX® requirements: Information on the question catalogue, maturity levels and certification. Prepare the assessment level and audit.
Understanding and implementing audit management: Step-by-step explanation, background information, examples and definitions. Read now!
What does the NIS-2 Directive mean for organisations in Germany? Implementation obligations, sanctions, tips for implementation.